25 cards
Posted over 7 years ago. Visible to the public.

Rails 2.3 LTS Changelog

Sep 14th, 2021: Version

  • Relaxed requirement for Bundler. It is now possible to use Rails 2.3 LTS with Bundler 2 (given a compatible version of Ruby and Rubygems).

Mar 06th, 2021: Version

Jan 27th, 2021: Version

Jan 25th, 2021: Version

  • Added Ruby 2.7 compatibility.

Sep 29th, 2020: Version

Sep 10th, 2020: Version

  • Backported fix for potential XSS vulnerability in Action View (CVE-2020-15169), see details Archive .

Aug 25th, 2020: Version

  • Fixes an issue with the script/server command not accepting certain parameters when running with rack > 1.1.
  • This release fixes no security issues.

Jun 17th, 2020: Announcement regarding CVE-2020-8184

  • No Rails 2.3 LTS release was necessary.
  • We backported the patch to our forked Archive version of rack 1.4.

May 19th, 2020: Version

May 16th, 2020: Version

May 15th, 2020: Announcement regarding CVE-2020-8161 and CVE-2018-16471

May 07th, 2020: Version

  • Backported fix for arbitrary file write/potential remote code execution attack in actionpack (CVE-2020-8159), see details Archive

May 06th, 2020: Version

  • Backported fix for information disclosure vulnerability in Active Resource (CVE-2020-8151), see details Archive

Apr 30th, 2020: Version

  • Fixed a "floating point exception" crash which occasionally happened in tests only, on Ruby 1.8.7, on newer linux kernels. This works around an apparent bug within Ruby 1.8.7 itself.

Mar 20th, 2020: Version

Dec 22nd, 2019: Version

  • Fixed ActiveRecord::SessionStore to not be vulnerable to timing attacks that can lead to session hijacking (CVE-2019-16782). see details Archive

Mar 22nd, 2019: Amendment to CVE-2019-5418

  • The previously reported CVE 2019-5418 has been upgraded to possible remote code execution. Rails LTS protects your application against this exploit.

Mar 14th, 2019: Version

  • Backport fixes for ActionView format / MIME type parsing (CVE-2019-5418 and CVE-2019-5419) ( see details Archive )
  • Confirmed that 2.3 LTS is not affected by CVE-2019-5420.

Jan 23rd, 2019: Version

  • Add compatibility with Ruby 2.5.

Nov 20th, 2018: Version

  • Fix a regression introduced in where calling #respond_to? on a named scope would sometimes cause the scope to be loaded.

Oct 10th, 2018: Version

  • Fix parameter filtering (password etc) in log files for Ruby 2.3.

Aug 2nd, 2018: Version

  • Fixed a crash when using rails new-app. This is not a security issue.

Mar 21st, 2018: Version

Mar 20th, 2018: Not affected by sanitization CVEs

A vulnerability was disclosed for some Ruby sanitization gems like loofah ( CVE-2018-8048 Archive ) and sanitize ( CVE-2018-3740 Archive ). This also affects recent Rails versions, whose sanitize() helper depends on loofah.

We have confirmed that the sanitize() helper in Rails 2.3 is not affected by this issue.

Note that if your application uses one of the affected gems directly, you may still be affected and should update to the latest version of these gems.

Aug 12th, 2016: Version

Apr 1st, 2016: Version

This is a bugfix release only, no security issues have been fixed.

  • Fixes issues when using the rake rails:freeze:gems command
  • Depend on rake < 11.0, since rake 11 is no longer 1.8.7 compatible.

Mar 1st, 2016: Version

More Details Archive

Jan 26th, 2016: Version

Backported a fix for CVE-2016-0751: Possible Object Leak and Denial of Service attack in Action Pack Archive

Backported a fix for CVE-2016-0753: Possible Input Validation Circumvention in Active Model Archive

More Details Archive

Nov 10th, 2015: Version

Added support for installing LTS via our own gem server to reduce download times.

June 17th, 2015: Version

Backported a fix for Possible Denial of Service attack in Active Support (CVE-2015-3227) Archive

You can now upgrade Rails LTS 2.3 to use rack 1.4. You should upgrade rack to at least 1.4.6 to address Potential Denial of Service Vulnerability in Rack (CVE-2015-3225) Archive .

This release also contains two backward-compatible fixes that makes it easier to upgrade to Ruby 2.2, courtesy of Peter Lind Archive . Note that using Rails 2.3 with Ruby 2+ involves considerable work and is not supported by us.

April 14th, 2015: Ruby patches

A vulnerability was discosed in all versions of Ruby.

Since Ruby 1.8.7 und Ruby 1.9.3 are no longer maintained at this time, we have provided backported fixes for CVE-2015-1855: Ruby OpenSSL Hostname Verification Archive .

Please note that the Rails LTS service only covers security patches for the Rails framework. We are unable to guarantee backported security patches for Ruby 1.8.7 or 1.9.3 in the future.

October 31st, 2014: Version

Backported a fix for Arbitrary file existence disclosure in Action Pack (CVE-2014-7818) Archive (2.3 was affected)

Note that was also a vulnerability affecting Sprockets Archive . 2.3 does not use Sprockets by default, but you might have integrated it manually.

June 3rd, 2014: Version

Backported a fix for SQL Injection Vulnerability in 'bitstring' quoting (CVE-2014-3482) Archive affecting PostgreSQL users.

Note that there was also "SQL Injection Vulnerability in 'range' quoting" (CVE-2014-3483) which did not affect Rails 2.3.

May 20th, 2014: Version

Add a switch to fail on ambiguous table / column names to mitigate Unsafe Query Risk in Active Record Archive .

May 7th, 2014: Version

Backported a fix for Directory Traversal Vulnerability With Certain Route Configurations (CVE-2014-0130) Archive .

February 19th, 2014: Version

February 14th, 2014: Version

Backported an old security advisory Archive with CVE-2012-1099 to Rails LTS.

January 31st, 2014: Version

Rails LTS now offers a version number.

Starting with today's release, you can query RailsLts::VERSION to check which version you are using.

Applications such as Brakeman Archive or Code Climate Archive can make use of that information now, too.

December 4th, 2103: Version

Five security advisories were published on the official Rails security list Archive :

  • CVE-2013-6414
  • CVE-2013-4491
  • CVE-2013-6415
  • CVE-2013-6417
  • CVE-2013-6416

We provided a patched version of Rails LTS for commercial plans as of today.

November 22nd, 2013

A vulnerability was discosed in all versions of Ruby.

Since Ruby 1.8.7 is no longer maintained at this time, we have provided a Backported fix for "Heap Overflow in Floating Point Parsing (CVE-2013-4164)".

Please note that the Rails LTS service only covers security patches for the Rails framework. We are unable to guarantee backported security patches for Ruby 1.8.7 in the future.

October 16th, 2103

150 days without accident! After a storm of severe security vulnerabilities earlier this year, the Ruby on Rails framework seems to be enjoying a short respite.
We continue to monitor the official Rails security list Archive for new advisories.

June 20th, 2013

We are now officially supporting installation without Bundler or Git.

June 18th, 2013

Added missing tests that ensure fixes for CVE-2012-2660 Archive , CVE-2012-2694 Archive and CVE-2013-0155 Archive .

June 3rd, 2013: Version

Fix XSS vulnerability in the translate helper method in Ruby on Rails Archive .

This vulnerability was disclosed a long time ago (in November 2011) and affects Rails 2.3 applications with the rails_xss Archive plugin. However, a fix for Rails 2.3 was never released, so we have fixed this in Rails LTS.

May 29th, 2013: Version

Backported a fix for a bug Archive in the built-in HTML tokenizer, which would crash for certain types of malformed HTML.

May 27th, 2013

Fixed many broken tests.

May 21st, 2013: Version

Added optional switches to disable the parsing of XML params and JSON params. These are disabled by default in order to preserve compatibility with Rails 2.3.18.

The switches are enabled in hardened configuration mode.

May 15th, 2013: Version

Rails LTS is compatible with the official Rails 2.3.18 release Archive .
Rails LTS now contains fixes for CVE-2012-3464, CVE-2012-3465, CVE-2012-2695.

Owner of this card:

Tobias Kraze
Last edit:
3 months ago
by Tobias Kraze
This website uses short-lived cookies to improve usability.
Accept or learn more